Tor: Anonymity Online

Caught in the Network

By PAUL CESARINI

At 9:15 one Thursday morning, there came a polite knock on my mostly closed office door. I was expecting the knock. A student was coming to talk to me about getting into one of my courses, which he needed to graduate.

So when I heard the knock, I said, “C’mon in, Kyle.” Someone said, “Hello?” and came in, along with two smartly dressed men extending business cards to me.

I recognized the speaker as a network-security technician in my university’s office of information-technology services. The other men were not familiar, but a quick glance at their cards told me they were detectives on our campus police force. They closed my office door behind them, sat down, took out notepads and pens, and asked if I had a few minutes to speak with them about Tor.

Tor — an acronym for The Onion Router — is a freely available, open-source program developed by the U.S. Navy about a decade ago. A browser plug-in, it thwarts online traffic analysis and related forms of Internet surveillance by sending your data packets through different routers around the world. As each packet moves from one router to the next, it is encoded with encrypted routing information, and the previous layer of such information is peeled away — hence the “onion” in the name.

Basically, Tor is a way to surf the Internet anonymously. Someone looking up potentially sensitive information might prefer to use it — like a person who is worried about potential exposure to a sexually transmitted disease and shares a computer with roommates. Abuse survivors might not want anyone else knowing they have visited Web sites for support groups related to rape or incest. Journalists in repressive regimes with state-controlled media use Tor to reach foreign online news sites, chat rooms, blogs, and related venues for information.

Tor can also be useful in e-commerce. For example, Amazon.com knows more about my shopping habits and tastes than my wife does. I appreciate Amazon’s ability to make recommendations based on my previous purchases. But in 2000, Amazon admitted experimenting with so-called dynamic pricing, charging different people different prices for the same MP3 player; the prices were presumably based on estimates of what each user would be willing to pay, considering prior purchases. Online merchants could all do that, thanks to traffic analysis. They know who I am when I log on — unless I delete their cookies or use Tor.Of course, anonymous Web surfing can be used to conceal fraud and other forms of electronic malfeasance. That was why the police had come to see me. They told me that only two people on our campus were using Tor: me and someone they suspected of engaging in an online scam. The detectives wanted to know whether the other user was a former student of mine, and why I was using Tor.

Widespread use of Tor could be a huge headache for network-security administrators, particularly in higher education. My university alone has more than 21,000 students. Imagine what would happen if even a tenth of them and a similar percentage of faculty and staff members started using Tor regularly. With all the spam scams, phishing scams, identity theft, and related criminal enterprises going on around the world — many of which involve remotely hijacking university-owned computers — we could approach technological anarchy on the campus.

My reason for downloading and installing the Tor plug-in was actually simple: I’d read about it for some time, was planning to discuss it in two courses I teach, and figured I should have some experience using it before I described it to my students. The courses in question both deal with controlling technology, diffusing it throughout society, and freedom and censorship online.

When I cover online censorship in countries with no free press, I focus on how those countries rely on hardware, software, and phalanxes of people to make sure citizens can reach only government-approved media. Crackdowns on independent journalists, bloggers, and related dissidents all too often result in their being beaten, incarcerated, or worse. Technologies like Tor represent a beacon of freedom to people in those countries, and I would be doing my students a disservice if I didn’t mention it.

The detectives and network-security technician listened patiently to me, wearing their best poker faces. They then gave me a copy of the university’s responsible-use policy, which employees must agree to abide by when we first sign up for our e-mail accounts. They pointed out that my actions violated at least three provisions of that policy.

I wasn’t particularly impressed. I had helped edit and revise that policy when I worked for the information-technology office before I earned my Ph.D., and I knew that neither Tor nor any similar program had existed when the policy was first written. I also knew that the provisions in question were vague.

My visitors next produced page after page of logs detailing my apparent use of Tor. While I couldn’t dispute most of the details in the logs, they seemed inaccurate. For example, the technician said I had been using Tor earlier that morning. In fact, I had been at Wal-Mart that morning looking for a good deal on an HDTV; I had reached my office only about five minutes earlier.

More important, the logs did not prove any wrongdoing on my part. All they demonstrated was that I, like thousands of others around the world, had installed and infrequently used Tor. In my case, of course, there was no wrongdoing.

Nonetheless, my visitors made two requests: that I stop using Tor, and that I avoid covering it in class.

Having been on the administrative end of academic technology, I appreciate the difficulties facing the information-technology staff. No one pats you on the back if nothing goes wrong, but if something does — if a virus or worm sweeps through the campus’s network infrastructure, or someone hijacks some computers to churn out spam — you are off everyone’s Christmas-card list. The last thing my former colleagues needed was some smarmy faculty member spouting off about academic freedom and threatening to demonstrate Tor to 100-plus students each semester.

Their job is to protect the network that allows me to do my job: to teach classes that are mostly or entirely online, and to conduct research. If they weren’t here as the first or even only line of defense against the unscrupulous elements of our technological society, my university would cease to function. It’s as simple as that.

Furthermore, I do not rely heavily on Tor, or even think much about it outside the context of my courses. I find all that routing makes it slow to use, even with the superfast connection I have at work.

But it is being used all around the world, by people in countries that restrict their access to information, by corporate whistle-blowers, and by digital-rights activists. It’s even being used by average people like me, as a way to keep innocuous and personal online activities private.

So in the head-on collision between my appreciation of the role IT staff members play on my campus and my understanding of the role I have to play for my students, my need for academic freedom won. I found myself lecturing my three visitors into near catatonia about the uses of Tor.

Finally, they shook my hand, thanked me for talking with them, reminded me that I was probably violating the responsible-use policy, and left. They had bigger game to catch: the other Tor user on the campus.

A moment later, I heard another knock on my door. One of the detectives had come back to ask if I would reconsider my position. I told him that while I would think about giving up Tor, I honestly felt that this was a clear case of academic freedom, and I could not bow to external pressure. I reminded him that Tor is a perfectly legal, open-source program that serves a wide variety of legitimate needs around the world.

He nodded and left. Feeling an odd mixture of righteous indignation, patriotism, and dread, I closed the door.

Almost immediately, I heard still another knock. In perhaps an overly dramatic fashion, I raised my voice and bravely said, as I opened the door, “I’m sorry, but it’s about academic freedom!”

There was Kyle, add/drop slip in one hand, pen in the other, grooving to his iPod, looking at me blankly.

Paul Cesarini is an assistant professor of visual communication and technology education at Bowling Green State University.